Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

[andrewdavey]

Describe the bug

My github workflows that use aws-actions/configure-aws-credentials@v1-node16 have stopped working today. No changes have been made recently to the workflows, or my AWS accounts.

Expected Behavior

The step should succeed without any error.

Current Behavior

Error logged in the GitHub runner

Run aws-actions/configure-aws-credentials@v1-node16
  with:
    role-to-assume: arn:aws:iam::xxxxxxxxxxx:role/github-actions-role
    aws-region: eu-west-2
    audience: sts.amazonaws.com
Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

Reproduction Steps

I've copied what I think are the relevant parts of my workflow yml.

name: Test Workflow
on: push
permissions:
  id-token: write
  contents: read
env:
  aws_tools_account: "00000000000"
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: "Configure AWS Credentials: Tools account"
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          role-to-assume: arn:aws:iam::${{ env.aws_tools_account }}:role/github-actions-role
          aws-region: eu-west-2

Possible Solution

No response

Additional Information/Context

No response

[andrewdavey]

Sorry, I just found this closed issue that sounds similar:
#357

Has the problem reoccurred?

[sionelt]

Seeing the same error as well in our pipeline just now. No changes were made to our OpenIDConnect provider in IAM. We are using v1 with nodev16.

[excruzme]

Same issue this morning. Can confirm our thumbprint didn't change overnight. Also using @v1-node16.

[alakin-11]

Same error I am seeing as well using aws-actions/configure-aws-credentials@v1.

[l0b0]

Open source project seeing the same issue, using this OIDC provider, in case that helps with reproduction. From a recent job:

Run aws-actions/[email protected]
  with:
    aws-region: […]
    mask-aws-account-id: true
    role-to-assume: arn:aws:iam::[…]:role/CiOidc
    audience: sts.amazonaws.com
  env:
    NPM_CONFIG_USERCONFIG: /home/runner/work/_temp/.npmrc
    NODE_AUTH_TOKEN: […]
    pythonLocation: /opt/hostedtoolcache/Python/3.9.13/x64
    PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.9.13/x64/lib/pkgconfig
    Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.9.13/x64
    Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.9.13/x64
    Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.9.13/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.9.13/x64/lib
    AWS_DEFAULT_REGION: ap-southeast-2
    CiOidc: arn:aws:iam::[…]:role/CiOidc
    NonProdOidc: arn:aws:iam::[…]:role/NonProdOidc
    ProdOidc: arn:aws:iam::[…]:role/ProdOidc
Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

FYI, this was caused by a bug in CDK. It seems to have been fixed three days ago.

[faiare]

I had a same issue, but solved it by adding the latest fingerprint from this one-liner to ID provider.
#357 (comment)

[kchandra548]

AWS pins OIDC IdentityProvider's ICA(Intermediate CA) thumbprint while creating an IdP from the AWS console.

I dont see any change in the ICA and the thumbprint (6938fd4d98bab03faadb97b34396831e3780aea1)
Could you please share the thumbprint that you are using.

FYI: If you are creating IDP from CLI, follow this doc to get thumbprint.

[jetexe]

I dont see any change in the ICA and the thumbprint (6938fd4d98bab03faadb97b34396831e3780aea1)
Could you please share the thumbprint that you are using.

I can get f879abce0008e4eb126e0097e46620f5aaae26ad using one-liner from #357 (comment)

[kchandra548]

Yeah I think that is certificate's thumbprint. If you try creating IdP frm IAM console it uses ICA's thumbprint

The thumbprint of the certificate will vary with each rotation, but the not the ICA's(This is also not guaranteed but generally ppl use same ICA for certian period).
FYI : Here is the last time's blog post https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws which mentions using 6938fd4d98bab03faadb97b34396831e3780aea1 as the thumbprint

[pbrisbin]

Using the 6938 Thumprint fixed it for us. We must have been using an old certificate (not ICA), which we probably got from a similar one-liner that is giving the f879 number now. So I'd expect that to work again too, but break again later. Be careful out there!

[andrewdavey]

Thanks for all the links everyone - Adding the new thumbprint fixed it for me.

I had originally created the Open ID Connect Provider using AWS CDK like this:

const provider = new OpenIdConnectProvider(this, "GitHubProvider", {
  url: "https://token.actions.githubusercontent.com",
  clientIds: ["sts.amazonaws.com"],
});

There is an optional thumbprints property I wasn't passing, so I think it used a now out of date value.

[dacort]

AWS CDK

CDK fetches the thumbprint for you when you deploy. GitHub recently updated the certificate (which will happen again in another year), hence the reason this came up.

* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.actions.githubusercontent.com
*  start date: Nov  4 00:00:00 2022 GMT
*  expire date: Nov  7 23:59:59 2023 GMT

[peterwoodworth]

Just to confirm, everyone running into this issue is defining the OIDC provider through CDK right?

[excruzme]

Just to confirm, everyone running into this issue is defining the OIDC provider through CDK right?

I had a same issue, but solved it by adding the latest fingerprint from this one-liner to ID provider. #357 (comment)

Yep, that's how I ran into the issue 👍 And this solution worked for me. All sorted now.

[jetexe]

Update to aws-cdk with fix is now available

[github-actions]

⚠️Comment Visibility Warning⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.